GajiHub Bug Bounty Program

GajiHub is committed to resolving any issues that could compromise the security of our products and services as quickly as possible. We take security vulnerabilities very seriously, and protecting our clients’ data is one of our top priorities.

Should you identify a vulnerability or security gap, we kindly ask that you keep the details private and share the relevant information with us responsibly, following the guidelines below.

How to Report a Security Vulnerability

If you believe you have found a vulnerability or security loophole in GajiHub’s products, services, or online platforms, please contact us immediately via the email below:

[email protected]

What Should Be Included in the Report?

Please provide as much detail as possible. Specifically, we appreciate the following:

A clear explanation of the security vulnerability

A list of affected products and services (including version numbers, if available)

Steps to reproduce the vulnerability

Proof-of-Concept code or software

Any test accounts you have created

URLs, IP addresses, or infrastructure related to the vulnerability (if applicable)

Your contact information, such as your organization and a contact person for communication purposes

Scope

Activities Out of Scope

GajiHub considers the following activities potentially harmful to the platform or not helpful in improving the security of our environment or applications:

Social engineering, including phishing

Network DoS and DDoS attacks

Brute-force Attacks

Physical Attacks

Any activity that alters or destroys data

Types of Vulnerabilities Out of Scope

The following classes of vulnerabilities are considered out of scope for the GajiHub Bug Bounty Program:

Missing web security headers
Issues enabling phishing, such as tabnabbing
Misconfigured email server settings (SPF, DKIM, DMARC)
Missing CSRF protection on logout buttons
Missing CSP security headers or X-frame bypass
Cookie flag–related security issues
Wide SSL certificate scope
Weak SSL ciphers / insufficient TLS versions enabled
Email template injection
Findings from automated tools without manual validation
Broken links or redirects
Disclosure of internal IP addresses
Minor infrastructure detail disclosure without significant impact
Verbose error messages without significant impact
Insecure HTTP request methods
Issues affecting unsupported browser versions
Issues related to robots.txt

Next Steps

1 Please maintain confidentiality and refrain from publishing your findings until we have completed our investigation and implemented a patch or other mitigation measures.
2 The GajiHub security team will make every effort to contact you within 72 hours of your security vulnerability report and provide updates on our progress in addressing the issue.
3 We will notify you once our security team has applied a patch or mitigation, and we will add your name to our acknowledgements page on this site if the vulnerability is a valid high or critical issue.

Rules Of Engagement

Please do not:

Exploit any security vulnerabilities
Access, delete, or modify GajiHub or client data
Disclose the vulnerability to the public until it has been resolved
Download more data than necessary to demonstrate the vulnerability
Attempt to compromise client accounts
Use Social Engineering, Denial of Service, or Phishing attacks

Reward Policy

GajiHub does not offer fixed compensation for the disclosure of vulnerabilities in our systems. However, all efforts to help make GajiHub more secure are highly appreciated, and you will receive appropriate recognition, especially for high-quality or high-impact submissions.

Acknowledgements to Security Researchers

GajiHub extends our sincere appreciation to all security researchers and professionals who have contributed to enhancing the security of GajiHub’s products and services through our responsible disclosure program.

Top 10 GajiHub Bug Hunters

Rank	Nick Name	Points
#1	C Cadbudsad	180 pts
#2	I Ibnu Cybersecurity	50 pts